CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

There are a couple of OS deployment webservices out there like the legendary one from Maik Koster that is great (Should be built-in the product!) We have been using and developing our own OSD webservice at Onevinn which we used a couple of years now. It has been developed by my college Johan Schrewelius who have done a marvelous job with it!!

We have been planning to share this for a long time but never found the time to complete it, at today’s System Center User Group Sweden – Client day at Microsoft in Sweden we thought it was time!

It can be downloaded from Technet Galleries here with complete documentation as well: https://gallery.technet.microsoft.com/Web-Service-for-OS-93b6ecb8

It contains the following features which can be used once installed.

WebserviceFeature

One reason to why we started doing this is for instance the need to delete Primary users during OS deployment during OSD so that it can be set once again during OS deployment but the history is removed.

The installation is a simple setup that you run on the server.

Setup

Configure the service account to be used.

Setup1

To make it easy to use there are sample scripts included as well which can easily be used in a Task Sequence.

Powershell Sample scripts

All Configuration is done in the Configuraiton.ps1 file that all the other scripts use so we only need to configure this once.

Powershellscript config

This makes it really easy to include in a Task Sequence as shown below.

TaskSequenceCommand

Why use a webservice? Well we move the logic to the Server side which makes our OSD much more stable and less latency sensitive when you run scripts against the Configuration Manager server in a Task Sequence. We don’t have to open all more than port 443/80 from clients to the server as we don’t run any scripts in the Task sequence just calls a webservice.

As I wrote before the download includes complete documentation so check it out when you downloaded it on how to get started!

There are many solutions out there for setting the OSD background to show progress during OS deployment. My college Johan Schrewelius at Onevinn has written a great one that shows:

  • Time elapsed
  • Host information
  • Current OSD Step
  • Custom background
  • Yes, it works in full OS in Windows 8.1 and Windows 10 as well.
  • Password Protected debug mode!!
  • Customizable colors
  • Easy configuration in a .xml file.

OSDBackground

It has a password protected debug mode for accessing Task Sequence variables, CMtrace, SMSTS.log and Command Prompt. If you haven’t turned of F8 Support in your boot image, it is time to do so now! It is accessed by Right-Clicking the upper left corner.

OSDBackground1

OSDBackground_Debug

In the Task Sequence, we simply add a step that executes OSDBackground and which step number it is. As shown below.

OSDBackgroundTS

It requires minimal configuration as everything is configured using a .xml file, it does require .NET framework and Powershell support in the Boot image so it needs to be added under optional components. The steps shown in the background is easily added modified, colors, debug password as well.

OSDBackground confguration

It can be downloaded from Technet Galleries, both the binaries and complete documentation on how to use it: https://gallery.technet.microsoft.com/Replacement-for-BGInfo-0095cff3

Great work Johan!!

I have gotten this question so many times now when writing scripts and blog posts what the difference is between a Task Sequence in MDT and SCCM. In some scenarios this makes a huge difference and is important to know about.

When you execute an OSD Task Sequence in MDT you are logged on as the local administrator account as shown below. Which means that all Scripts, Applications etc. is run as the local administrator account.

MDTTS_Context

MDTTS_Context1

When you use Configuration Manager the Task Sequence is executed in System context which means that scripts, applications are executed in System Context. So if we enable F8 support (Remember testing only!) we are running in System Context.
SCCMTS_Whoami

Why is this important?, well if you test and install applications using Configuration Manager you should always test them in System Context and not as the local administrator, this can be done using PSexec. When you develop and run scripts you need to be aware of this as well and again test them in System Context if applicable.
An example would be the script I blogged a while ago to set a corporate wallpaper in Windows 10, when running that script we need to take ownership of the files in question before we can replace them. If we run it in MDT we need to the “Administrator” to own the files to be able to replace them, if we use Configuration Manager we need to use “System” instead to own the files.

Example MDT

takeown /f c:\windows\WEB\wallpaper\Windows\img0.jpg

takeown /f C:\Windows\Web\4K\Wallpaper\Windows\*.*

icacls c:\windows\WEB\wallpaper\Windows\img0.jpg /Grant ‘Administrator:(F)’

icacls C:\Windows\Web\4K\Wallpaper\Windows\*.* /Grant ‘Administrator:(F)’

Remove-Item c:\windows\WEB\wallpaper\Windows\img0.jpg

Remove-Item C:\Windows\Web\4K\Wallpaper\Windows\*.*

Copy-Item $PSScriptRoot\img0.jpg c:\windows\WEB\wallpaper\Windows\img0.jpg

Copy-Item $PSScriptRoot\4k\*.* C:\Windows\Web\4K\Wallpaper\Windows

Example Configuration Manager

takeown /f c:\windows\WEB\wallpaper\Windows\img0.jpg

takeown /f C:\Windows\Web\4K\Wallpaper\Windows\*.*

icacls c:\windows\WEB\wallpaper\Windows\img0.jpg /Grant ‘System:(F)’

icacls C:\Windows\Web\4K\Wallpaper\Windows\*.* /Grant ‘System:(F)’

Remove-Item c:\windows\WEB\wallpaper\Windows\img0.jpg

Remove-Item C:\Windows\Web\4K\Wallpaper\Windows\*.*

Copy-Item $PSScriptRoot\img0.jpg c:\windows\WEB\wallpaper\Windows\img0.jpg

Copy-Item $PSScriptRoot\4k\*.* C:\Windows\Web\4K\Wallpaper\Windows

I hope this is helpful!

After checking the inbox and the junk mail folder just to be sure many times today, THE mail finally arrived! It is a true honor to be awarded MVP for yet another year, my sixth time!

Thanks to all of you! and Microsoft for making this happen and all your support!!

MVP2016

In Configuration Manager 1606 we got a new option to tweak our PXE boot times, TFTPWindowsSize which we can change in the registry on our PXE enabled DP’s.
PXE booting a machine can never be fast enough!

https://technet.microsoft.com/en-us/library/mt627944.aspx#BKMK_RamDiskTFTP

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\DP
Name: RamDiskTFTPWindowSize
Type: REG_DWORD

The default value is 1 (1 data block fills the window)

We can also tweak the TFTPBlockSize which has been around for many versions of Configuration Manager.

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\DP
Name: RamDiskTFTPBlockSize
Type: REG_DWORD
Value: <customized block size>

The default value is 4096 (4k).

So I did a lot of testing and when it comes down to it, you need to verify the settings that are best in your environment with your network configuration, your computermodels and so on.

What we know for example:

  • That HP Probook for instance doesn’t support a higher TFTPBlockSize value than 1456 otherwise it freezes.
  • Vmware 5.x doesn’t support a higher value for TFTPWindowsSize than 8.

I put together this list that could be a good starting point when testing out the different TFTP values, I used a Latitude E7450 and an Optiplex 7010 and Max, who helped me PXE boot otherwise I would have overdosed on Coffee by now!

TFTPSettings

Conclusion UEFI boot is slower! and the values used will be different for many customers as there are now optimal values that will be best in all environments.

Changing the TFTP settings was really boring so when I did the tests I wrote this little powershell tool as well to help in setting the values. I am planning to update it next week to be able to use it on Remote DPs and some more error handling. But you can use it as it is now to do you your testing. Run it as administrator so you have the permisisons necessary to change the registry values.

SCCMTFTPBootChangerIt can be downloaded here: SCCMTFTP

I hope this can be of use!

There seems to be a bug in the Windows 10 1607 ADK when trying to load the components needed to for instance deploy a machine when using 802.1x in your network. The service fails to load with System Error 126 as shown in the screenshot below.

winpeThere are some comments about it on forums and as comments on blog posts as well.

For now the workaround would be to use WinPE from the Windows 10 1511 ADK.

In Windows 10 1607 App-V and UE-V are built-in natively in the Operating System (Not in Pro) and no additional setup needs to be run anymore, this is awesome! Both App-V and UE-V can be enabled using a Group Policy or by using the following Powershell commands, Enable-Appv and Enable-UEV.

In some scenarios especially for App-V we need to enable it during OSD in our Task Sequence so that we can install App-V applications before the Group Policies are applied.

This is really simple we use just use the Powershell to activate it. If we want to enable both App-V and UE-V we use the following command

powershell.exe -NoProfile -Command “&{ Enable-Appv; Enable-Uev }”

activate App-V for instance using the following command:

powershell.exe -NoProfile -Command Enable-Appv

The Run Command Line Step must run after the Setup Windows and Configuration Manager step as shown below.

Task Sequence Step

If we then use the command prompt after that step to check the App-V status, it is now enabled.

App-v during OSD

In many scenarios and solutions, we use a single Task Sequence to deploy multiple Windows Versions in these scenario the following WMI query can be used to only run the command on Windows 10 1607, select * from Win32_OperatingSystem where BuildNumber = “14393″ as shown below.

Conditions using buildnumber

This really makes our life simpler!

It is time again! System Center User Group Sweden are planning an Enterprise Client day on the 27th of October at Microsoft in Akalla, Stockholm!
We have a preliminary agenda inplace and registrations are now open as well, hope to see you all there! The sessions will be held in Swedish.

Agenda (preliminary):

Description
Agenda is preliminary
0800 – Registration Opens
0815 – Welcome
0830-0915 – Third Party Patching with Shavlik
0930-1030 – Deploying Windows 10 Like A Boss
1045-1130 – Building Secure Mobility with Conditional Access
1130-1230 – Lunch
1230-1315 – ConfigMgr Tech Update
1330 – 1415 – The Flexera Offering around Client Management
1430 – 1515 – Customizing Windows 10 for the Enterprise
1530 -1615 – Device and Application Management in a Modern World
1630 – 1715 – Securing your Clients against Modern Threats

0800 – Registration Opens

0815 – Welcome

0830-0915 – Third Party Patching with Shavlik

0930-1030 – Deploying Windows 10 Like A Boss

1045-1130 - Building Secure Mobility with Conditional Access

1130-1230 – Lunch

1230-1315 – ConfigMgr Tech Update

1330 – 1415 - The Flexera Offering around Client Management

1430 – 1515 – Customizing Windows 10 for the Enterprise

1530 -1615 – Device and Application Management in a Modern World

1630 – 1715 – Securing your Clients against Modern Threats

Registration is now live here:

https://www.eventbrite.com/e/scug-se-enterprise-client-day-tickets-27391385371

There will also be a Datacenter day which is the day after the 28 of October more information can be found here:

https://www.eventbrite.com/e/scugse-cloud-and-datacenter-day-tickets-27391969117

Hope to see you all there!!

740810_10151223710004296_1783026840_o